[Esd-l] auto-add iptables filter-rules to block senderips of quarantined mails

Peter Warasin Peter.Warasin at darkrealms.org
Tue Sep 9 08:57:19 PDT 2003


the SoBig.F worm made me an incredible useless amount of traffic which
somebody has to pay.
the sanitizer and the spamassassin filtered out most but that is after the
worm has made the traffic.

so i decided to write a script, which gathers ip-addresses from
quarantined mails and stores it in a special directory.

i get the ipaddress from the last Received-line, so i am sure that it is
the real sender.
there is also a possibility to choose if the ipaddress should be taken
only from senders which have their own smtp (mostly hosts which are
infected by a worm with his own smtp).

another cron-script inserts the ip-addresses into an iptables-chain if the
sender sent more than a specified amount of mail in the last 24 hours.

probably somebody here find this usefull and could test it on his box.

here is the link of the first tar:

i did not write much documentation.. so here some steps:
the perl-script mebendazol.pl should be called from procmail between the
sanitizer-localrules include and the sanitizer html-trap.procmail include.
like this:

*       X-Content-Security:.*QUARANTINE
|/usr/bin/mebendazol.pl --trash=/dev/null

the niclosamid.sh script should be called from cron every hour or so.
then the niclosmid iptables rule must be hung in in the INPUT chain manually.
(iptables -N niclosmid
iptables -I INPUT -j niclosomid)

hope this reduces some traffic ;)
if i find some more time probably i will write some more documentation and
put it on a website.

please feel free to send suggestions or comments..


More information about the esd-l mailing list